Red Hat Security Advisory: Multicluster Global Hub 1.5.4 security update

CVE-2026-4427 — github.com/jackc/pgproto3: pgproto3: Denial of Service via negative field length in DataRow message CVE-2026-21728 — grafana/tempo: Tempo: Denial of Service via large queries CVE-2026-25679 — net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-27137 — crypto/x509: Incorrect enforcement of email constraints in crypto/x509 CVE-2026-27889 — github.com/nats-io/nats-server: NATS-Server: Denial of Service via malformed WebSockets frame CVE-2026-29785 — github.com/nats-io/nats-server: NATS-Server: Denial of Service via leafnode compression CVE-2026-32280 — crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building CVE-2026-32281 — crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation CVE-2026-32282 — golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root CVE-2026-32283 — crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages CVE-2026-32285 — github.com/buger/jsonparser: github.com/buger/jsonparser: Denial of Service via malformed JSON input CVE-2026-32286 — github.com/jackc/pgproto3/v2: github.com/jackc/pgproto3/v2: Denial of Service via malicious PostgreSQL server CVE-2026-33186 — google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation CVE-2026-33215 — nats-server: NATS-Server: Session and message hijacking via MQTT Client ID malfeasance CVE-2026-33216 — nats-server: github.com/nats-io/nats-server: NATS-Server: Information disclosure of MQTT passwords through monitoring endpoints CVE-2026-33217 — nats-server: github.com/nats-io/nats-server: NATS-Server: Access control bypass via unapplied ACLs in MQTT namespace CVE-2026-33218 — nats-server: github.com/nats-io/nats-server: NATS-Server: Denial of Service via malformed message pre-authentication on leafnode port CVE-2026-33219 — github.com/nats-io/nats-server: NATS-Server: Denial of Service via unbounded memory use in WebSockets CVE-2026-33247 — github.com/nats-io/nats-server: NATS-Server: Information disclosure of credentials via monitoring port and command-line arguments CVE-2026-33413 — etcd: etcd: Authorization bypass allows information disclosure and denial of service CVE-2026-33487 — github.com/russellhaering/goxmldsig: goxmlsig: Integrity bypass due to incorrect XML Digital Signature validation via loop variable capture issue CVE-2026-33810 — crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application CVE-2026-33813 — golang.org/x/image: golang: golang.org/x/image: Denial of Service via malformed WEBP image parsing CVE-2026-33997 — moby: docker: github.com/moby/moby: Moby: Privilege validation bypass during plugin installation CVE-2026-34040 — Moby: Moby: Authorization bypass vulnerability CVE-2026-34986 — github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object CVE-2026-40890 — github.com/gomarkdown/markdown: github.com/gomarkdown/markdown: Denial of Service via malformed Markdown input CVE-2026-41602 — github.com/apache/thrift: Apache Thrift: Integer Overflow in TFramedTransport Go implementation CVE-2026-41603 — Apache Thrift: apache.com/apache/thrift: Apache Thrift: Security Bypass via Improper Certificate Hostname Validation CVE-2026-41604 — Apache Thrift: apache.com/apache/thrift: Apache Thrift: Out-of-bounds Read vulnerability CVE-2026-41605 — Apache Thrift: Apache Thrift: Integer Overflow or Wraparound Vulnerability CVE-2026-41606 — Apache Thrift: Apache Thrift: Denial of Service via uncontrolled recursion CVE-2026-41607 — Apache Thrift: apache.com/apache/thrift: Apache Thrift: Out-of-bounds Read vulnerability CVE-2026-41636 — apache.com/apache/thrift: Apache Thrift: Node.js skip() recursion CVE-2026-43869 — Apache Thrift: Apache Thrift: Security bypass due to improper certificate validation